Configure delegation rights for the service account.

Procedure

  1. Open Active Directory Users and Computers on the domain that you are authenticating to and navigate to View and enable the Advanced Features.
  2. If you do not have a Service Account created for the SEG to use for the Kerberos request, create a Service Account and name the Service Account SVC awseg.
  3. Right-click the Service Account, and select Properties. In the Properties menu, select the Attribute Editor tab.
  4. To assign delegation rights to a user account, Microsoft requires that the account be assigned a Service Principal Name (SPN). Find the servicePrincipalName attribute in the list and edit it to be in the format HTTP/SVC_awseg.
    Service Principal Name
  5. After setting up the SPN for the user account, close the Properties window and reopen it to access the Delegation tab. Delegation cannot be set for a user account until an SPN is set.
  6. On the Delegation tab, select the option Trust this user for delegation to specified services only and also Use any authentication protocol.
  7. Select Add and then search and select the Exchange server (or the ASA account if you followed Create an Alternate Service Account (ASA)) for which you want to provide the delegation rights. You should provide the actual machine name of the Exchange server {EX_MACHINE_NAME}. For example EXCH. Scroll through the list to find the HTTP service type. If you set the SPN for the Exchange server in Step 2, select the SPN you created. If you have not set the SPN, select the HTTP service type for your server.
    Add Exchange Server Name